Export (0) Print
Expand All
Expand Minimize

Manage Mobile Devices with Configuration Manager and Microsoft Intune

Updated: February 23, 2015

Applies To: Microsoft Intune, System Center 2012 Configuration Manager SP1, System Center 2012 R2 Configuration Manager

noteNote
The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager.

This walkthrough shows you step-by-step how to configure Configuration Manager so that you can manage iOS, Android (including Samsung KNOX), Windows Phone, and Windows devices by using the Microsoft Intune service over the Internet. Although you use the Microsoft Intune service, management tasks are completed by using the Windows Intune connector site system role available through the Configuration Manager console. System Center 2012 R2 Configuration Manager also gives you option of managing Windows 8.1 devices, in the same manner of mobile devices, that do not have the Configuration Manager client installed.

You can configure Configuration Manager to enable mobile device management to let users access company resources in a secure, managed way. By using device management, you protect company data while letting users enroll their personal or company-owned mobile devices and giving them access to company data. When you use Configuration Manager with Intune, you have the following management capabilities:

  • You can retire and wipe devices.

  • You can configure compliance settings on devices. These include settings for passwords, security, roaming, encryption, and wireless communication.

  • You can deploy line of business apps to devices.

  • You can deploy apps from the store that the device connects to, Windows Store, Windows Phone Store, App Store, or Google Play.

  • You can collect hardware inventory.

  • You can collect software inventory by using built-in reports.

This document assumes that you are using Configuration Manager to manage computers, and that you are interested in extending the Configuration Manager console with Microsoft Intune to manage mobile devices. After extending Configuration Manager with Microsoft Intune you can give users permission to enroll their personal devices or enroll corporate-owned devices to be managed.

Use the following sections to help you manage mobile devices by using the Windows Intune connector.

Use the following information to determine the prerequisites for managing mobile devices.

Dependencies External to Configuration Manager

For a checklist about how to configure Configuration Manager to manage mobile devices, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Microsoft Intune.

 

External dependencies More information

Sign up for a Microsoft Intune subscription and account

When you sign-up for Intune you subscribe to a trial subscription. You can convert the trial into a paid (full) subscription at any time from within the Microsoft Intune account portal.

You can sign up for a subscription at Microsoft Intune.

For more information, see Task 1: Subscribe to Microsoft Intune and Acceptable Use Policy for Microsoft Intune in the Documentation Library for Intune.

Add a public company domain.

All user accounts must have a publicly verifiable domain name that can be verified by Intune.

Verify users have a public domain UPN.

Before you synchronize the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.

Deploy and configure directory synchronization.

There are several methods you can use for directory integration with Intune. These methods are the same for all Azure AD tenants. Therefore, to learn about the available methods and to drill through to procedures for the method you select, start with the Directory integration topic.

Create a DNS alias.

Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if Melissa's email address is Melissa@contoso.com, you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com.

The CNAME record is used as part of the enrollment process.

The Microsoft Intune subscription lets you specify your configuration settings for the Intune service. This includes specifying which users can enroll their devices and defining which mobile device platforms to manage. When you have created your subscription, you can then install the Windows Intune connector site system role that lets you connect to the Microsoft Intune service. This connector site system role will push settings and applications to the Intune service. The Intune subscription performs the following:

  • Retrieves the certificate that the Windows Intune connector requires to connect to the Intune service.

  • Defines the user collection that enables users to enroll mobile devices.

  • Defines and configures the mobile platforms that you want to support.

To create the Microsoft Intune subscription

  1. In the Configuration Manager console, click Administration.

  2. For System Center 2012 Configuration Manager SP1: In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions.

    For System Center 2012 R2 Configuration Manager: In the Administration workspace, expand Cloud Services, and click Windows Intune Subscriptions.

  3. For System Center 2012 Configuration Manager SP1: On the Home tab, in the Create group, click Create Windows Intune Subscription.

    System Center 2012 R2 Configuration Manager: On the Home tab, click Add Windows Intune Subscription.

  4. On the Introduction page of the Create Windows Intune Subscription Wizard, review the text and click Next.

  5. On the Subscription page, click Sign in and sign in by using your work or school account. Select the Allow the Configuration Manager console to manage this subscription check box. When you select this setting, you will only be able to manage mobile devices by using the Configuration Manager console. To continue with your subscription, you must select this option.

    ImportantImportant
    Once you select Configuration Manager as your management authority, you cannot change the management authority to Microsoft Intune in the future.

  6. Click the privacy links to review them, and then click Next.

  7. On the General page, specify the following options, and then click Next.

    • Collection: Specify a user collection that contains users who will enroll their mobile devices.

      noteNote
      If a user is removed from the collection, the user’s device will continue to be managed for up to 24 hours when the user record is removed from the user database.

    • Company name: Specify your company name.

    • URL to company privacy documentation: If you publish your company privacy information to a link that is accessible from the Internet, provide a link that users can access from the company portal. Privacy information can clarify what information users are sharing with your company.

    • Color scheme for company portal: Optionally, change the default color of blue for the company portals.

    • Configuration Manager site code: Specify a site code for a primary site to manage the mobile devices.

      noteNote
      Changing the site code affects only new enrollments and does not affect existing enrolled devices.

  8. On the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next.

For each device type that you selected, you must configure additional options. Use the procedures that follow for more information about those options. After you have configured these additional options, click Next and complete the wizard.

The Windows Intune connector sends settings and software deployment information to Microsoft Intune and retrieves status and inventory messages from mobile devices. The Intune service acts as a gateway that communicates with mobile devices and stores settings.

noteNote
The Windows Intune connector site system role may only be installed on a central administration site or stand-alone primary site.

To configure the Windows Intune Connector role

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles.

  3. Add the Windows Intune Connector role to a new or existing site system server by using the associated step:

    • New site system server: On the Home tab, in the Create group, click Create Site System Server to start the Create Site System Server Wizard.

    • Existing site system server: Click the server on which you want to install the Windows Intune connector role. Then, on the Home tab, in the Server group, click Add Site System Roles to start the Add Site system Roles Wizard.

  4. On the System Role Selection page, select Windows Intune Connector, and click Next.

  5. Complete the wizard.

Before device can be enrolled you must establish a trust relationship between the management solution and the managed mobile devices. This relationship is platform-specific so if, for example, you want to manage both iOS devices and Windows Phone devices you must complete the prerequisites for both platforms. The following table lists the certificates or keys that you must have to enroll mobile platforms.

 

Platform Certificates or keys How you obtain certificates or keys

Windows Phone 8

Before you can configure mobile device management for Windows Phone 8.0, the company portal app must be code-signed with a Symantec certificate that is trusted by the Windows Phone devices and you must create an application in the Software Library.

Buy a code signing certificate from Symantec.

If you are just testing this out in a trial version, you can use the Support tool for Windows Phone trial management.

Frequently asked questions about Windows Phone mobile device management

Windows Phone 8.1 and Windows RT, Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain.

Sideloading keys: Devices have to be provisioned with sideloading keys to enable the installation of sideloaded apps.

All sideloaded apps must be code-signed.

Buy sideloading keys from Microsoft.

All apps must be code-signed by using your company’s certification authority or an external certification authority.

iOS

Apple Push Notification service certificate.

Request an Apple Push Notification service certificate from Apple. For more information, see the Prepare to enroll iOS Devices in this topic.

Android 4.0+ and Samsung KNOX

None.

Not applicable.

Prepare to enroll iOS Devices

To enroll iOS devices, you must follow these steps:

  1. Download a certificate signing request
    This certificate signing request lets you apply to for an Apple Push Notification service (APNS) certificate from the Apple certification authority.

    1. In the Configuration Manager console, click Administration.

    2. In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions.

    3. On the Home tab, in the Create group, click Create APNs certificate request.

    4. In the Request Apple Push Notification Service Certificate Signing Request dialog box, click Browse to specify a location to download the Certificate Signing Request, specify your choice of file name, and then click Download.

    5. On the Microsoft Intune sign in page, enter your work or school account and password. After you sign in, the certificate signing request is downloaded to the location that you specified.

  2. Request an Apple Push Notification service certificate from the Apple website

    1. Connect to the Apple Push Certificates Portal.

    2. Sign in and complete the wizard.

      noteNote
      Make sure that you use a company Apple ID account to obtain the Apple Push Notification service certificate. When you return to the Apple site to renew the certificate, you must use the same account.

  3. Check the dialog checkbox to Enable iOS in the Configuration Manager console.

  4. Upload the APNS certificate to Intune.

    ImportantImportant
    Do not upload the Apple Push Notification service (APNS) certificate until you have enable iOS support in the Intune console.

  5. On the iOS page, click Browse to specify the Apple Push Notification service certificate that you received from Apple.

Prepare to enroll Windows and Windows Phone mobile devices

To support the Company Portal app for Windows Phone 8.0 and to deploy company apps to Windows Phone 8.1 you must get a Symantec Enterprise Mobile Code Signing Certificate. You cannot use a certificate issued by your own certification authority because only the Symantec certificate is trusted by Windows Phone devices. For more information, see Frequently Asked Questions about Windows Phone Mobile Device Management.

  1. Join the Windows Phone Dev Center
    Join the Windows Phone Dev Center using corporate account information when logging in to purchase your company account. This request will need to be authorized by a company officer before you receive a code-signing certificate.

  2. Get a company Symantec certificate
    Purchase a certificate from the Symantec website using your Symantec ID. After you purchase the certificate, the corporate approver whom you designated in your Windows Phone Dev Center account will receive an email asking for approval of the certificate request. For more information about the Symantec certificate requirement, see the Why Windows Phone requires a Symantec certificate?Windows device enrollment FAQ.

  3. Import certificates
    Once the request has been approved, you will receive an email containing instructions for importing certificates. Follow the instructions in the email to import the certificates.

  4. Verify certificates imported
    To verify that the certificates have been imported correctly, go to the Certificates snap-in, right-click Certificates, and select Find Certificates. In the Contains field, enter “Symantec”, and click Find Now. The certificates you imported should appear in the results.

    Certificate search

  5. Export a signing certificate
    Having verified that the certificates are present, you can export the .pfx file to sign the company portal. Select the Symantec certificate with Intended purpose “code-signing.” Right-click the code-signing certificate and select Export.

    Certificate export

    In the Certificate Export Wizard, select Yes, export the private key and then click Next. Select Personal Information Exchange –PKCS #12 (.PFX) and check Include all the certificates in the certification path if possible. Complete the wizard. For more information, see How to Export a Certificate with the Private Key.

  6. Download the Company Portal
    Download the Intune Company Portal for Windows Phone from the Download Center. The default installation location is C:\Program Files (x86)\Microsoft Corporation\Windows Intune Company Portal for Windows Phone.

  7. Download the SDK
    Download the Windows Phone SDK.

  8. Code-sign the Company Portal app
    Use the XAPSignTool app downloaded with the SDK to sign the company portal with the .pfx file you created from the Symantec certificate. For more information, see How to sign a company app by using XapSignTool.

  9. Create an application for distribution
    Create an application for distribution using the signed company portal app. Select Automatically detect information about this application from installation files. In Type, select Windows Phone app package (*.xap) file. In Location, browse to a network share where you have copied the ssp.xap. On the General Information page, enter a name that will show up in the Configuration Manager console, but note that the application will always be displayed as Company Portal in the app list on Windows Phones.

  10. Enable management by Configuration Manager
    Complete the following steps for the Windows devices you will manage

    1. Windows Phone 8 and Windows Phone 8.1 Devices

      1. For Windows Phone 8.1, you must enable the Windows Phone 8.1 extension in the Configuration Manager console. For more information, see How to Enable Extensions.

      2. On the Windows Phone page, specify the .pfx file that you received.

      3. Specify the name of the Microsoft Intune company portal application package that you created.

      4. Windows Devices
        Windows RT, Windows RT 8.1 and Windows 8.1 devices require that all sideloaded apps be signed with a trusted code-signing certificate.

        1. On the Windows RT Configuration page, if you have a certificate from your company’s certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps.

          noteNote
          All apps must be code-signed. The certificate field is for your company’s certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank.

        2. Click Add to enter your sideloading keys. For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows RT Devices section in this topic.

  11. Distribute the application
    Use the Distribute Content wizard to distribute the Microsoft Intune company portal application to the manage.microsoft.com distribution point.

    ImportantImportant
    Do not create a deployment for this application - the deployment will be automatically created when you complete the Microsoft Intune Subscription Wizard.

Prepare to enroll Android devices

For System Center 2012 R2 Configuration Manager, users can download the Android company portal app from Google Play that lets them enroll Android (including Samsung KNOX) devices. With the Android company portal app, you can manage compliance setting, wipe or delete Android devices, deploy apps, and collect software and hardware inventory. If the Android company portal app is not installed on Android devices or if you are using Configuration Manager SP1, then you will not have all the management capabilities, such as inventory and compliance settings, but you can still deploy apps to Android devices.

-----
For additional resources, see Information and Support for Configuration Manager.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. For instructions and examples, see Search the Configuration Manager Documentation Library.
-----
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft